Exposure notifications privacy policy

Colorado Department of Public Health and Environment CO Exposure Notifications Privacy Policy
Effective as of October 18, 2020

This “Privacy Policy” explains how the Colorado Department of Public Health and Environment (“CDPHE”) collects, uses, discloses, and otherwise processes end users’ data in connection with the CO Exposure Notifications mobile service (“CO Exposure Notifications”). This Privacy Policy also describes the choices available to individuals with respect to data when using CO Exposure Notifications. Please refer to CDPHE’s general privacy policies for additional information.

ABOUT CDPHE, LOCAL PUBLIC HEALTH AUTHORITIES, AND CO EXPOSURE NOTIFICATIONS 

CDPHE oversees public health efforts throughout the State of Colorado and works in conjunction with local public health authorities (LPHA), Health Information Exchanges (HIEs), and associated provider networks to provide notification to those who have been exposed to someone with COVID-19. CO Exposure Notifications is a service that allows CDPHE, LPHAs, or authorized health authorities to anonymously notify you if you may have been exposed to the virus that causes COVID-19. 

USING THE SERVICE

Using CO Exposure Notifications is completely voluntary and you may choose to install and uninstall CO Exposure Notifications at any time. CO Exposure Notifications will never collect, track, or store your location, GPS information, or personal information.

ENABLING EXPOSURE NOTIFICATIONS

Enabling exposure notification in CO Exposure Notifications is your choice. You can enable and disable such notification at any time. CO Exposure Notifications must be enabled for CO Exposure Notifications to: exchange the random codes with other CO Exposure Notifications users who you come into close contact with; for you to receive exposure notifications; or for you to notify other CO Exposure Notifications users if you test positive for COVID-19 by sharing your random codes through a positive report.

HOW IT WORKS      

CDPHE, LPHAs, and authorized health authorities will never collect or process any personally identifiable information from CO Exposure Notifications. 

If an individual has installed CO Exposure Notifications on their device, that device will make a Bluetooth connection with other devices within their proximity to exchange random device keys if the other users have installed CO Exposure Notifications. These random device keys do not collect or process any location or personally identifiable information. 

Individuals who have CO Exposure Notifications installed on their device and have a confirmed case or probable diagnosis of COVID-19 will be contacted by their LPHA, CDPHE, or an authorized health authority with a PIN that is randomly generated. If a user tests positive for COVID-19, they may choose to notify other CO Exposure Notifications users with whom they have had close contact. Providing notification to other CO Exposure Notifications users with whom you have had close contact is completely voluntary and does not reveal your identity. To trigger a notification to other users, the user who tests positive for COVID-19 must enter their valid, 8-digit PIN or use a PIN via a link that is sent in a text message. This PIN is used to verify your positive diagnosis and prevent false reports. This PIN is not associated with your identity.

Once the PIN is entered, CO Exposure Notifications’ algorithm will conduct a risk calculation using the time, duration, and Bluetooth signal (proximity indicator) for potential contacts. CO Exposure Notifications will notify other CO Exposure Notifications users who meet criteria for being a close contact as having a potential exposure risk. CO Exposure Notifications’ notification will state that the user may have potentially been exposed to a COVID-19-infected individual and will provide instructions on how and where to get tested. Such notifications will not include the potentially infected individual’s identity or the date, time, or location of the exposure.

All random device PINs provided by an LPHA, CDPHE, or an authorized health authority will not include any location or identifying information. All PINs are anonymous and auto-generated. The Bluetooth identifiers, random device keys, and associated metadata are deleted from your device on a rolling, 14-day window.

PAUSING OR TERMINATING PARTICIPATION

Participation in CO Exposure Notifications may be terminated at any time by deleting or uninstalling CO Exposure Notifications from your device. Participants may also pause CO Exposure Notifications at their discretion. After CO Exposure Notification is deleted or uninstalled, your device will no longer generate or exchange random codes with other users’ mobile devices. Any random codes that were previously shared with other CO Exposure Notifications users will be automatically deleted after 14 days from the date the code was generated.

SHARING INFORMATION

The following event data may be processed and collected in CO Exposure Notifications:

  • Installing CO Exposure Notifications.
  • Receiving an exposure notification.
  • Submitting a verified PIN.
  • Downloading anonymous tokens for positive users that have chosen to notify others.

CDPHE uses the above event information to understand how CO Exposure Notifications is being used. This data may be shared with CDPHE, public health entities or authorized health authorities. It may also be used in an aggregate and anonymous form for statistical or scientific research purposes. This information will not include any personal or location information nor will it be used to identify any CO Exposure Notifications user. CDPHE or LPHA may also define and send metadata related to your transmission risk including how the diagnosis was reported.

OPTING OUT OF PUSH NOTIFICATIONS

If you opt-in to receive push notifications within CO Exposure Notifications, it may send push notifications or alerts to your mobile device from time to time. You may deactivate push notifications and alerts at any time by deleting or disabling CO Exposure Notifications, changing your device settings, or changing the push notification settings within CO Exposure Notifications.

AGE REQUIREMENTS

CO Exposure Notifications is not intended for children under the age of 13, and CDPHE does not knowingly allow a child under 13 to use the service. If you are between the ages of 13 and 17, you can only use CO Exposure Notifications if your parent or legal guardian has reviewed and agreed to the Terms of Service on your behalf.

CHANGES TO OUR PRIVACY POLICY

CDPHE and OIT may update this Privacy Policy or their general Privacy Policies from time to time. If material changes are made to the Privacy Policy, CDPHE will notify you by posting the changes on CO Exposure Notifications or by using the contact information you provide to CO Exposure Notifications. The notification will indicate when such changes will become effective.

If you object to a new Privacy Policy, you may terminate participation in CO Exposure Notifications by deleting or uninstalling CO Exposure Notifications from your device.

CONTACTING US

If you have any feedback, questions, comments, or concerns relating to this Privacy Policy or CDPHE privacy practices, please contact us at covid19.colorado.gov, co_exposure_notifications@state.co.us or write to us at the following address:

Colorado Department of Public Health and Environment
Re: CO Exposure Notifications
4300 Cherry Creek Drive South
Denver, CO 80246